Provisions against digital rights management in a draft update to the General Public License could undermine computer security, Linus Torvalds said this week in e-mails reflecting the Linux leader's pragmatic philosophy.

"I think a lot of people may find that the GPLv3 'anti-DRM' measures aren't all that wonderful after all," Torvalds said in a posting Wednesday to the Linux kernel mailing list. "Digital signatures and cryptography aren't just 'bad DRM.' They very much are 'good security' too."

The Free Software Foundation is in the process of revising the GPL, a seminal document that not only governs thousands of open-source projects but also functions as the constitution of the free software movement. One of the major new provisions in the proposed GPL version 3 is designed to prevent use of GPL software in conjunction with digital rights management. DRM technology does everything from encrypting movies and music to permitting only a digitally signed software to run on a specific computing device.

Torvalds gave some examples of areas where he believes it's appropriate for secret digital keys to be used to sign software, or for a computer to run only software versions that have this digital signature to assure they're authorized.

A company might want to distribute a Linux version that loads only kernel modules that have been signed, for example. Or they may want one that marks the kernel as "tainted" if it loads unsigned modules, Torvalds said.

He added: "The current GPLv3 draft pretty clearly says that Red Hat would have to distribute their private keys, so that anybody can sign their own versions of the modules they recompile, in order to re-create their own versions of the signed binaries that Red Hat creates. That's insane."

The foundation added the anti-DRM provision in part so companies such as TiVo wouldn't be able to continue their current practice of using only authorized versions of Linux. The move restricts software freedoms that the foundation considers essential.

But Torvalds said he believes it's not the software programmer's place to tell hardware designers what to do; if a hardware company's proprietary practices are objectionable, programmers should simply buy another company's hardware, Torvalds said.

"I literally feel that we do not--as software developers--have the moral right to enforce our rules on hardware manufacturers. We are not crusaders, trying to force people to bow to our superior God. We are trying to show others that co-operation and openness works better," Torvalds said in one e-mail.

In a later e-mail, Torvalds elaborated on his pragmatic attitude and opined that it's part of the reason for Linux's achievements.

"A lot of people see the GPL as a 'crusading' license, and I think that's partly because the FSF really has been acting like a crusader," Torvalds wrote. "But I think that one of the main reasons Linux has been successful is that I don't think that the Linux community really is into crusading (some small parts of it are, but it's not the main reason). I think Linux has made the GPL more 'socially acceptable,' by being a hell of a lot less religious about it than the FSF was."

"GPLv2 is fair. It asks others to give back exactly what I myself offer: the source code to play with," Torvalds said. "The GPLv3 fundamentally changes that balance, in my opinion. It asks for more than it gives. It no longer asks for just source back, it asks for control over whatever system you used the source in."

When it comes using DRM to encrypt digital content such as movies, Torvalds suggested in another e-mail that people take a different approach: employ a license from a group such as the Creative Commons that requires content to remain open.

"If enough interesting content is licensed that way, DRM eventually becomes marginalized. Yes, it takes decades, but that's really no different at all from how the GPL works," Torvalds said.

And he said the power of entrenched media companies doesn't just come through encryption.

"As long as you expect Disney to feed your brain and just sit there on your couch, Disney and company will always be able to control the content you see," Torvalds said. "DRM is the smallest part of it. The crap we see and hear every day (regardless of any protection) is a much bigger issue."

About the author

Stephen Shankland has been a reporter at CNET since 1998 and covers browsers, Web development, digital photography and new technology. In the past he has been CNET's beat reporter for Google, Yahoo, Linux, open-source software, servers and supercomputers. He has a soft spot in his heart for standards groups and I/O interfaces.
See full bio